How can you kill the process with these functions?

kozol · Jul 31, 2025 at 12:28 AM

.idata:0000000000012000 ; Segment type: Externs
.idata:0000000000012000 ; _idata
.idata:0000000000012000 ; void (__stdcall *KeStallExecutionProcessor)(ULONG MicroSeconds)
.idata:0000000000012000 extrn KeStallExecutionProcessor:qword
.idata:0000000000012000 ; CODE XREF: sub_11A20+B1↑p
.idata:0000000000012000 ; DATA XREF: sub_11A20+B1↑r ...
.idata:0000000000012008 ; BOOLEAN (__stdcall *HalTranslateBusAddress)(INTERFACE_TYPE InterfaceType, ULONG BusNumber, PHYSICAL_ADDRESS BusAddress, PULONG AddressSpace, PPHYSICAL_ADDRESS TranslatedAddress)
.idata:0000000000012008 extrn HalTranslateBusAddress:qword
.idata:0000000000012008 ; CODE XREF: sub_11C30+108↑p
.idata:0000000000012008 ; sub_11C30+12B↑p
.idata:0000000000012008 ; DATA XREF: ...
.idata:0000000000012010
.idata:0000000000012018 ;
.idata:0000000000012018 ; Imports from ntoskrnl.exe
.idata:0000000000012018 ;
.idata:0000000000012018 ; NTSTATUS (__stdcall *IoCreateDevice)(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PDEVICE_OBJECT *DeviceObject)
.idata:0000000000012018 extrn IoCreateDevice:qword
.idata:0000000000012018 ; CODE XREF: sub_11000+AB↑p
.idata:0000000000012018 ; DATA XREF: sub_11000+AB↑r ...
.idata:0000000000012020 ; void (__stdcall *RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString)
.idata:0000000000012020 extrn RtlInitUnicodeString:qword
.idata:0000000000012020 ; CODE XREF: sub_11000+77↑p
.idata:0000000000012020 ; sub_11000+D9↑p ...
.idata:0000000000012028 ; int (*snwprintf)(wchar_t *Dest, size_t Count, const wchar_t *Format, ...)
.idata:0000000000012028 extrn _snwprintf:qword ; CODE XREF: sub_11000+2F↑p
.idata:0000000000012028 ; sub_11000+4A↑p ...
.idata:0000000000012030 ; NTSTATUS (__stdcall *IoDeleteSymbolicLink)(PUNICODE_STRING SymbolicLinkName)
.idata:0000000000012030 extrn IoDeleteSymbolicLink:qword
.idata:0000000000012030 ; CODE XREF: sub_111D0+3A↑p
.idata:0000000000012030 ; DATA XREF: sub_111D0+3A↑r
.idata:0000000000012038 ; void (__stdcall *IofCompleteRequest)(PIRP Irp, CCHAR PriorityBoost)
.idata:0000000000012038 extrn IofCompleteRequest:qword
.idata:0000000000012038 ; CODE XREF: sub_11270+2B4↑p
.idata:0000000000012038 ; DATA XREF: sub_11270+2B4↑r
.idata:0000000000012040 ; void (__stdcall *ExFreePoolWithTag)(PVOID P, ULONG Tag)
.idata:0000000000012040 extrn ExFreePoolWithTag:qword
.idata:0000000000012040 ; CODE XREF: sub_11740+39↑p
.idata:0000000000012040 ; DATA XREF: sub_11740+39↑r
.idata:0000000000012048 ; NTSTATUS (__stdcall *ZwClose)(HANDLE Handle)
.idata:0000000000012048 extrn ZwClose:qword ; CODE XREF: sub_11C30+202↑p
.idata:0000000000012048 ; DATA XREF: sub_11C30+202↑r
.idata:0000000000012050 ; PVOID (__stdcall *ExAllocatePoolWithTag)(POOL_TYPE PoolType, SIZE_T NumberOfBytes, ULONG Tag)
.idata:0000000000012050 extrn ExAllocatePoolWithTag:qword
.idata:0000000000012050 ; CODE XREF: sub_11B10+67↑p
.idata:0000000000012050 ; DATA XREF: sub_11B10+67↑r
.idata:0000000000012058 ; void (__stdcall *RtlZeroMemory)(void *, SIZE_T Length)
.idata:0000000000012058 extrn RtlZeroMemory:qword
.idata:0000000000012058 ; CODE XREF: sub_11000+C2↑p
.idata:0000000000012058 ; DATA XREF: sub_11000+C2↑r
.idata:0000000000012060 ; NTSTATUS (__stdcall *ZwUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress)
.idata:0000000000012060 extrn ZwUnmapViewOfSection:qword
.idata:0000000000012060 ; CODE XREF: sub_11740+2E↑p
.idata:0000000000012060 ; DATA XREF: sub_11740+2E↑r
.idata:0000000000012068 ; NTSTATUS (__stdcall *ZwMapViewOfSection)(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect)
.idata:0000000000012068 extrn ZwMapViewOfSection:qword
.idata:0000000000012068 ; CODE XREF: sub_11C30+1CE↑p
.idata:0000000000012068 ; DATA XREF: sub_11C30+1CE↑r
.idata:0000000000012070 ; NTSTATUS (__stdcall *ObReferenceObjectByHandle)(HANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID *Object, POBJECT_HANDLE_INFORMATION HandleInformation)
.idata:0000000000012070 extrn ObReferenceObjectByHandle:qword
.idata:0000000000012070 ; CODE XREF: sub_11C30+D4↑p
.idata:0000000000012070 ; DATA XREF: sub_11C30+D4↑r
.idata:0000000000012078 ; NTSTATUS (__stdcall *ZwOpenSection)(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes)
.idata:0000000000012078 extrn ZwOpenSection:qword
.idata:0000000000012078 ; CODE XREF: sub_11C30+A7↑p
.idata:0000000000012078 ; DATA XREF: sub_11C30+A7↑r
.idata:0000000000012080 ; NTSTATUS (__stdcall *IoCreateSymbolicLink)(PUNICODE_STRING SymbolicLinkName, PUNICODE_STRING DeviceName)
.idata:0000000000012080 extrn IoCreateSymbolicLink:qword
.idata:0000000000012080 ; CODE XREF: sub_11000+E9↑p
.idata:0000000000012080 ; DATA XREF: sub_11000+E9↑r
.idata:0000000000012088 ; void (__stdcall *IoDeleteDevice)(PDEVICE_OBJECT DeviceObject)
.idata:0000000000012088 extrn IoDeleteDevice:qword
.idata:0000000000012088 ; CODE XREF: sub_11000+FA↑p
.idata:0000000000012088 ; sub_111D0+43↑p
.idata:0000000000012088 ; DATA XREF: .

Думаем.

ring · Jul 31, 2025 at 12:30 AM

получить дескриптор, открыть или создать секцию памяти, выделить память, насрать в память вредоносными данными, закрыть дескриптор и высвободить память

kozol · Jul 31, 2025 at 12:30 AM

Address
Ordinal Name
0000000000012000
KeStallExecutionProcessor
Library
HAL
0000000000012008
HalTranslateBusAddress
HAL
0000000000012018
IoCreateDevice
ntoskrnl
0000000000012020
RtInitUnicodeString
ntoskrnl
0000000000012028
_snwprintf
ntoskrnl
0000000000012030
IoDeleteSymbolicLink
ntoskrnl
0000000000012038
IofCompleteRequest
ntoskrnl
0000000000012040
ExFreePoolWithTag
ntoskrnl
0000000000012048
ZwClose
ntoskrnl
0000000000012050
ExAllocatePoolWithTag
ntoskrnl
0000000000012058
RtZeroMemory
ntoskrnl
0000000000012060
ZwUnmapViewOfSection
ntoskrnl
0000000000012068
ZwMapViewOfSection
ntoskrnl
0000000000012070
ObReferenceObjectByHandle
ntoskrnl
0000000000012078
ZwOpenSection
ntoskrnl
0000000000012080
IoCreateSymbolicLink
ntoskrnl
0000000000012088
IoDeleteDevice
ntoskrnl
Более читаемый вид

Checker Outlook /Hotmail

Quick proxy checker on Go with sorting by countries, protocols, types

Are there people who reverses the indjection of game?

Exam in infa?

Give the ideas that you can write

What programming languages do you need to know for khaking / creating harmful programs?

Help decide the error with the Lolsa API

How can you kill the process with these functions?

How do you decide captcha with Playwright/ Selenium/ Requests

How can PEER-to-Peer be implemented using WebRTC?

What is better to use for bots on the server?

In what language to write software

Writing the styler

How to bypass Telegram session crashes when using Pyrogram or Telethon

Are there any lebe for working with captcha?

Free AutoSMM for Funpay Cardinal

How to put TG bot on a host?

Casino from VK

Need a coder for analyzing the telegrams of the bot

I am looking for excellent hacker technology, a site for penetration and type of check.

About freelance

How to send a message to a large number of TG contacts using Pyrogram immediately?

I am looking for an idea

Need a *****Forceer

[FEEDBACK] Order fulfillment for review

What could it be? Telegram auto -mail

About the database

What is better to study, C ++ or GO?

Looking for a Telegram Web application developer

[Free] Client part of Interac

How can you kill the process with these functions?